Upmarket US department store Neiman Marcus has been hit by hackers who broke into systems before lifting an as-yet-unspecified number of credit and debit card details.
Neiman Marcus confirmed a security breach in a series of updates to its official Twitter account and apologised, without detailing the extent of the problem or …

Re: you'll be thinking about it in your mansion by the fire,

Usually, but not necessarily.

I actually received one of those invites about 10 years back. At the time I was handling finances for an NPO and our budget for the year was around $750,000. But we did run most of our bills through Amex including some hefty hotel bills* and international travel. It was cool reading it, but it immediately went through the shredder. I got the impression they though I was worth as much money as the corporation was. I can see where they would be beneficial cards for a company with that sort of cash flow, especially if they traveled internationally.

*First time we used it to pay the hotel bill our card was cutt-off in the middle of the weekend, so never let them tell you there isn't a limit. They just do a constantly rolling evaluation of it, and since it is a charge card instead of a credit card, the limit is a great deal higher than it would be for a credit card. After that we'd pre-pay $100,000 or so before our big event, and let them know the big event was happening so they'd be seeing our typical yearly surge in charges.

Re: Posh My Arse

Interesting. So one or both of 'Neiman' and 'Marcus' aren't surnames, eh? You sure about that? 'cause I'm pretty damn sure that the store was started by a Mr. Marcus, partnering with his sister and her husband, the Neimans. And a quick google says... yep. https://en.wikipedia.org/wiki/Neiman_Marcus.

Hint: pretty much any 'first name' can end up being a 'surname'. Examples include Joseph, John, James, Patrick, William, Steven, Donald, Gregory, Dennis, Jacque, Jean, Erich, Rahman, Ali... further examples available at your local elementary school. An awful lot of 'surnames' _are_ first names, because many of them derived from 'so-and-so son/daughter of name' or 'so-and-so of the family/clan/sept of name'. This kind of thing tends to be really common in Germanic languages, such as, oh, _English_. And _German_. And is also well-known in non-Germainic languages including Arabic and Hebrew and Zulu.

damn, boy, why didn't you just do a quick Google before making an idiot out of yourself?

Re: Posh My Arse

Re: "the man with two first names"

That's ok, I knew his balancer when I was in high school: the man with two last names. I still call him by the name I learned then, but it is quite understandable why he routinely goes by "Jim" these days instead of Gerheart.

Encryption?

"The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store."

So the lifted detail was not encrypted in any way? Anyone? El Reg?, a little detail that is so important to this story and its possible repercussions.

Re: Encryption?

Wish I could remember where I read the details, but the point of attack was the interface between two sets of exchanges. Both individual links were secure end to end, and they thought the transfer between the two was good as well. It sounded like the breach was both novel and clever. Although this is the first article I've seen confirming it was the POS system and not the back end db that was cracked. I was suspicious about that because of the too careful wording they were using to describe the breach and the ranged time period.

Re: Encryption?

Found it:

Target ran into a problem, Eric Chiu, president and co-founder of cloud control company HyTrust said, where point-of-sale and customer database systems connect to networks. Chiu said hackers can access that point and sneak undetected inside a corporate network. Ominously, he also added because of the density of information available on today’s networks, hackers don’t just get some data, they get a lot of it.

Re: Encryption?

"Wish I could remember where I read the details, but the point of attack was the interface between two sets of exchanges. Both individual links were secure end to end, and they thought the transfer between the two was good as well. It sounded like the breach was both novel and clever. Although this is the first article I've seen confirming it was the POS system and not the back end db that was cracked. I was suspicious about that because of the too careful wording they were using to describe the breach and the ranged time period."

If the exploit was made in the POS system, then that smacks of an inside job of some sophistication. Based on what I know of modern retail POS systems, they're (a) trade secrets with tons of secret sauce, (b) rolled out in very controlled and restricted ways to minimize disruptions, and (c) deployed on a closed intranet.

Therefore, to get an exploit onto a modern POS system would involve (a) Tampering with a very secret program code (How many people have code access for the POS system?) (b) Slipping the exploit into a scheduled software rollout, passing any testing that would've occurred before then, and (c) Either bridge the intranet with the Internet or extract the siphoned details locally in some other manner.

I don't think any outsider could achieve a feat of the scale we're talking about.

I suspect PCI will have to look into reducing the trust level of the POS system as a result of this. Based on what I've read, the standards as they are mean the POS can obtain the card data unencrypted, and that may have to change. Newer equipment may mandate the use of encrypting magstripe readers and the use of PKI where not even the store knows the decryption key (IOW, only the payment processor would be able to receive the magstripe data). This may also be considered as Chip-and-PIN is considered for American rollout (because despite its increased security, it has been shown to have holes that can be exploited at the POS level as well).

Target relies on a Virtual Solution ..

"In 2004, Target joined the Microsoft Technology Adoption Program (TAP) for virtualization and found the solution it was looking for. During the TAP, the Microsoft team worked closely with Target Technology Services team members to virtualize the Linux-based pharmacy solution and run it successfully in a Microsoft Virtual Server 2005 environment"

Erm, the POS systems belong to the store, not the credit card company.

Now, how did the POS systems, aka cash registers, manage to have a path out, which is required for that information to leave the system and land in someone outside's computer?

POS systems should not be able to route traffic to each other, especially not offsite in another store. They should also not have the ability to route traffic to the internet at all. To and from the transaction servers only.

What normally happens is that the POS units link to a back-office server for that store, which in turn is connected to the company headquarters or some midway point, depending on the scales involved. And it's headquarters that also tells the back-office machines who to contact on the corporate net in regards to credit card transactions and so on (if they don't route the transactions themselves, another possibility).

AFAIK, these all run on closed networks (most of the ones I've seen use Class 1 10.x.x.x private net addresses).